HHS is Slow to Address High Priority Recommendations of GAO

The Department of Health and Human Services is slow in responding to the high priority recommendations of the Government Accountability Office (GAO). Of the 54 high priority recommendations specified in a GAO report in March 2019, just 13 (24%) were dealt with to date.

In GAO’s November 2019 report, it was mentioned that 77% of GAO recommendations prepared 4 years ago were already implemented government-wide. However, HHS’ implementation rate was just 61%. By April 2020, 405 outstanding recommendations remain.

In the March 2019 report, there were 54 high priority recommendations identified. Another 18 high priority recommendations were created. There are currently 55 outstanding high priority recommendations. A number of them are releted to improving cybersecurity and reducing fraud risk.

GAO states there are 9 open priority recommendations that are public welfare linked programs and there are issues that could help make sure that appropriate federal agencies are complementing each other in managing risks, and there are resources required to deal with biological threats like the COVID-19 crisis. A few of these recommendations could assist the HHS in improving nursing homes oversight to better safeguard residents from abuse.

Crucial facilities in the United States, including healthcare, is seriously dependent on computer programs and electronic information, however critical cyber threats to the infrastructure keep on growing. There are presently around 7 open priority recommendations associated with cybersecurity that should be dealt with.

GAO information states that the HHS hasn’t made a cybersecurity risk management plan that consists of important risk-related components. The Centers for Medicare and Medicaid Services (CMS) hasn’t developed processes and steps yet to make sure that researchers and some other competent entities have enforced data security controls efficiently all through their negotiation with CMS. Progress likewise has to be made to implement IT innovations to set up the electronic public health situation awareness network.

A number of the recommendations were just partially resolved. GEO points out that the recommendations for HHS to create a cybersecurity risk management program and the set up processes for doing an organization-wide security risk evaluation were prepared in July 2019. The HHS noted in January 2020 that further points for the cybersecurity risk management strategy are still being drafted.

To completely work out the recommendations, HHS should make sure that its strategy consists of key elements, such as a statement of risk tolerance and data on the way the agency plans to evaluate, respond to, and keep track of cybersecurity risks. Additionally, HHS has to create a risk assessment procedure to permit the agency to take into consideration the entirety of risk produced from the operation and usage of its information systems.

Seven remaining recommendations are associated with fraud prevention. GAO remarks that estimations of incorrect payment in the Medicaid and Medicare programs is unacceptably high and had a total of over $103 billion in the 2019 fiscal year. The GAO recommendations are critical in helping to considerably lower that figure. Those recommendations consist of evaluating documentation prerequisites, making steps to reduce program risks, and reviewing prepayment claims.

GAO acknowledges the HHS and its other agencies are concentrated on responding to the coronavirus crisis and has advised the HHS to tackle the high priority advice the moment it could refocus its work. HHS’s operations would substantially improve upon implementation of the recommendations.